I wrote that knowing he'd have fallen afoul of malice and obstruction (I doubt very much public harm, though). Those tests are all things I've seen in other statutes, for what it's worth. But, on the off chance that this helps clarify my mentality t you, I'm thinking we have an O(n) problem with CFAA sentencing today, and my alternative model is O(1).
He also could have gone to court with some confidence that even if a jury was so petrified by "computer hacking" and so snowed by the complexity and broadness of the law, he'd stand a very good chance of establishing that he had no true malicious intent, and that his attempts to obstruct investigation were minimal (for instance, he used Mailinator, with its prima facie artificial addresses, instead of more realistic throwaway Gmail addresses).
What sentence do you think Aaron should have been facing in court? How about someone who roots and wipes a multiuser box for revenge? How do you discriminate between the two?
I've got a hard time trying to come up with something "right" because it doesn't feel like Aaron's access should really be a crime at all, and JSTOR can go for civil damages or criminal copyright infringement. And it also doesn't feel like we need a law to punish someone for using a computer while defrauding a bank, because we've already got a law for defrauding a bank that even gets applied when you do it in person. And to the extent that one can cause purely virtual destruction (and hence not have any physical world laws apply), that should be the thing that is addressed as the primary crime, instead of having a lone charge of something that is usually bundled on top of other crimes to punish harder.
What about punishment of cracking applying solely to damage done to the cracked systems (either categorically or monetarily, and possibly including something like your tests)? This would also put someone who successfully tries an sshd exploit and then emails the administrator completely in the right - something we've never had. What scenarios would this leave completely unpunished (with no applicable laws), and can those just be fixed with similar categories?
He also could have gone to court with some confidence that even if a jury was so petrified by "computer hacking" and so snowed by the complexity and broadness of the law, he'd stand a very good chance of establishing that he had no true malicious intent, and that his attempts to obstruct investigation were minimal (for instance, he used Mailinator, with its prima facie artificial addresses, instead of more realistic throwaway Gmail addresses).